Skip to main content

1.3 Elements of Risk

1.3 Elements of Risk


It is very important for a CRISC aspirant to understand following terminology associated with risk identification:





Magnitude of loss

Impact Analysis

Analysis to understand which assets are critical (on the basis of cost or consequences if those assets are not available or damaged).

Impact Assessment

Assessment of possible consequences of a risk.




Something that is capable of harming assets.

Threat Agent

Methods, resources, capacity etc. which is used to exploit vulnerability.

Threat Analysis

Analysis to understand the nature of events or actions that can result in adverse consequences.

Threat Vector

Path or route used by threat to gain access to the target.


Weakness in the process or system.

Vulnerability Analysis

Analysis to identify, understand and classify different vulnerabilities.

Vulnerability Scanning

Proactive and automated process to identify weakness in the system or processes. 


Risk Factors

  • It is very important to have knowledge of threats including motivations, strategy and techniques of those who perpetrate threats to manage the threat. The better understanding the risk practitioner has of the mind of the attacker or the source of the threat, the more effective the risk management activities will be in controlling the threat.

  • At the same time an enterprise needs to know its own weaknesses, strengths, vulnerabilities and the gaps.



Following table list down IS assets and their related risks: 




  • Many organizations fail to identify key employees and ensure that appropriate back-up arrangements are in place.

  • In case of exit of a key person by way of retirement or illness or recruitment by another organization, the organization may be  in a vulnerable position.


  • Risk practitioners should consider the risk of using outdated technology.

  • For outdated technology lack of patching and updating of systems and applications leaves them vulnerable to malware.

  • The risk practitioner should be sure that procedures are in place to securely delete data when systems are scheduled for disposal

  • Common methods of destroying data include overwriting, degaussing and physical destruction of the equipment.


  • Data can be either sensitive or critical or may be both sensitive and critical. Sensitive data must be protected from disclosure or modification, while critical data must be protected from destruction or loss.

  • Data should be protected at all times, in all forms (paper, magnetic storage, optical storage, reports, etc.) and in all locations (storage, networks, filing cabinets, archives, etc.).

Intellectual Property

  • Intellectual property includes trademarks, copyrights, patent, trade secrets etc.

  • Failure to protect intellectual property may result in the loss of competitive advantage.

  • Intellectual property should be protected by adequate means such as access controls, shredding of documents, encryption techniques etc. 

Business Processes

  • It is advantageous to have flexible business processes to adapt to changes in the market or technology.

  • Outdated processes possess significant risks for the organization.

Asset Valuation


  • The risk practitioner should determine criticality of each asset so that priority may be given to protecting the critical assets first and addressing other assets as per requirement.


  • This ensures that the cost of controls is not more than the cost of assets.


  • Following are some factors for calculating asset value:

  • Reputational loss and other penalties for legal noncompliance

  • Impact on associated third parties, business partners

  • Impact on business continuity

  • Monetary loss

  • Breach of contracts

  • Loss of competitive advantage

  • Legal costs

  • Generally, asset value is calculated on the basis of impact on confidentiality, integrity and availability (CIA). However, it is important to standardize the terms and values to be used by all the departments.



  • Key responsibility of a risk practitioner is to ensure that various types of threats applicable to an organization are identified and documented.


  • Threats which are not identified are more vulnerable than a threat that is well documented.


  • Sources of threat identification include past incidents, audit reports, media reports, information from national computer emergency response teams (CERTs), data from security vendors and communication with internal groups.


  • Risk scenarios are used at the time of threat and vulnerability assessment to identify various events and their likelihood and impact.


Internal Threats

Risk practitioner should ensure following controls for Internal Threats:


  • System access to be provided on the basis of need-to-know and least privilege.

  • To ensure stringent background verification (where permitted by law) process before hiring any employee. It is important to review the qualifications and attitude of prospective employees.


  • Employees should be required to sign a nondisclosure agreement.


  • Regular awareness sessions and management reviews to remind employees of organizational policies and their responsibilities.


  • Exit policy to be properly defined and implemented. At the end of employment, an employee should return all organizational assets (e.g., laptops, mobile phones, access cards, etc.) so it cannot be misused. All logical and physical access should be disabled immediately.

External Threats


Risk practitioner should ensure following controls for External Threats:


  • Use of government data and weather monitoring services to identify natural events like flood, earthquake etc.  and to take necessary steps to be prepared for such events.


  • To carry out risk assessment and audit of IT infrastructure and bridge the gap by establishing necessary controls.


  • Use of skilled workforce, effective tools and techniques to guard the assets against the highly skilled hacking community.  


  • Most breaches happen because targets are not well prepared. Many organizations are breached because they were identified as soft targets and hackers took advantage of their vulnerabilities.

Emerging Threats

Emerging threats are indicated by:


  • unusual pattern or activity on a system,

  • frequent alarms,

  • unusual system or network performance,

  • increase activity in logs.


  • Even though logs are captured, they are not monitored or acted on a timely basis and hence compromise cannot be prevented.   


  • New technology without proper security consideration becomes a source of new vulnerabilities.


  • It is very important for the risk practitioner to monitor the use of new technologies particularly if these technologies promise cost savings or competitive advantage.



  • Vulnerabilities are weaknesses in the security. Existence of vulnerability is a potential risk.

  • It represents lack of adequate controls.


  • An organization should conduct regular vulnerability assessments and bridge the gap before they are found by an adversary and exploited.


Difference between Vulnerability & Threat


One of the favorite and most preferred game of ISACA is to get us confused between the terms

‘vulnerability’ and ‘threat’ during CRISC exams. Let us understand basic difference between

the two so they cannot trick us anymore.




A threat is what we’re trying to protect against.

Vulnerability is a weakness or gap in our protection efforts.

Our enemy can be Earthquake, Fire, Hackers,

Malware, System Failure, Criminals and many other unknown forces.

Vulnerability can be in the form of weak coding, missing anti-virus, weak access control and other related factors.

Threats are not in our control.


Vulnerabilities can be controlled by us.



Network Vulnerabilities


  • Network vulnerabilities are often related to poor installation and misconfiguration of equipment.


  • Misconfiguration and failure to update operating system (OS) code correctly and on a timely basis possess very high risk.


  • Network equipment should be hardened by disabling any unneeded services, ports or protocols. Any open services can be exploited by an attacker.


  • Risk practitioners should have sufficient information about emerging technologies and related vulnerabilities.


Physical Access

  • Physical controls are a very important aspect in security as threat agents who are able to circumvent physical access to systems have the potential to bypass nearly every other type of control.


  • Physical security controls include locks, CCTV monitoring, biometric access control, security guards, fire suppression systems, heating ventilation and air conditioning controls, lighting, and motion sensors.

Applications and Web-facing Services


  • One of the most common entry points for hackers is web based applications.


  • Applications are vulnerable to attacks like buffer overflows, logic flaws, injection attacks, bugs, and many other common vulnerabilities.


  • Applications located at insecure locations such as demilitarized zones are more vulnerable to an attack.


  • It is recommended for risk practitioners to use tools from the Open Web Application Security Project (OWASP) to test web-facing applications.




  • The risk practitioner should ensure that an adequate backup facility is available in case of power failure or other environmental conditions.


  • Equipment such as uninterruptible power supply (UPS), backup generators and surge protectors can help to prevent system damage or failure.


  • Functioning of these equipment must be tested at regular intervals.


Supply Chain


  • It is important to identify and document all risks related to the supply chain.


  • Any interruption in the supply chain may affect the ability of the organization to function.



  • Operational processes must be defined and implemented in a consistent manner across the organization.


  • Unstructured processes result in inconsistent management, lack of governance and reporting, and failure to ensure compliance with regulations.




Equipment should be monitored for its MTBF (mean time between failure) that indicates its anticipated life span and when it should be scheduled for removal or replacement.


Cloud Computing 

Four cloud deployment models are listed below:


Private Cloud

Public Cloud

Community Cloud

Hybrid Cloud

Available for only private use of enterprise

Available for use of general public

Available for use by specific communities having common interest or mission.

A composition of two or more clouds (private, community or public)

Managed by either enterprise or by third party.

Managed by cloud service providers.

Managed by either enterprise or by third party.

Physically may exist on- or off-premise

Physically exist off premise

Physically may exist on- or off-premise


Risk practitioners should be aware that outsourcing of IT services does not remove accountability of the organization. 


  • Risk of cloud computing should be considered before making outsourcing decisions.


  • Laws and regulations of the country of origin may not be enforceable in the foreign country. At the same time, the laws and regulations of the foreign outsourcer may also impact the enterprise.


  • Organizations can enforce strong security controls by the supplier only if the same is included in SLA. Without addressing security requirements directly in the outsourcing contract, the outsourcing company has no assurance that the provider will be compliant with specific security requirements.


  • Right to audit is an important clause. However, service providers may not allow you to audit them directly. Instead they may  provide a proof of compliance conducted by an independent auditor.

Big Data


Risk associated with big data:


  • As all the data is stored at one place for analysis, any unauthorized access can have adverse impact.


  • Analysis of data without the consent of the subject, can impact privacy laws.


  • Also, when data is aggregated for analysis, information that is not individually identifiable information might become identifiable.

Vulnerability Assessment and Penetration Testing

  • Lack of adequate controls indicates a vulnerability. Vulnerability can be exposed by a threat which results in risk of confidentiality, integrity and availability. 


  • Vulnerability assessment is a process to identify weakness in the system or processes.

  •  It can be carried out either by a manual process or automated tools.


  • Automated tools have the ability to analyze large amounts of data, run multiple tests and identify weakness.



  • A manual test will give better results when content is not easily quantifiable and requires judgment.


  • To validate the results of a vulnerability assessment, the organization may conduct a penetration test.

  •  An expert penetration testing team uses the same tools and techniques as used by a real hacker.


  • It is advisable to conduct penetration after any major infrastructure changes are made.  


  • Findings of VA & PT should be used by risk practitioners to bridge the gaps. 


  • At the same time, absence of any findings, should not be considered as a full proof system. The system may still remain vulnerable to unknown vulnerabilities (zero day exploits).


  • Configuration management has the greatest likelihood of introducing vulnerabilities through misconfigurations and missing updates.


  • To determine the threat and vulnerability, risk scenarios are used for all elements of a business process and attempt is made to identify the likelihood of occurrence and the business impact if the threats were realized.


Configuration Management


Configuration management is the process of managing and updating system features, parameters and other functional settings. Misconfiguration and missing updates is the reason why configuration management is considered as the most susceptible to the introduction of an information-security-related vulnerability.

Misconfiguration and failure to update operating system (OS) code correctly and on a timely basis possess very high risk. Hackers will first try to exploit the vulnerabilities due to poor configuration.

Risk practitioners should ensure that the organization is having a robust configuration management process in place.


Input Validation Check


Absence of input validation check is one of the most serious vulnerabilities and allows attackers access to data through a web application.

In absence of validation checks in data input fields, attackers can exploit other weaknesses in the system. For example, through SQL injection attacks, hackers can illegally retrieve application data.

Risk practitioner to ensure that all the web applications should have appropriate input validation control to restrict entry of any unusual code in the system.


Off-shore Data Processing

  Most important factor to be considered while evaluating the proposal of off-shore data processing is prevalent laws and regulations. Risk practitioners should be aware about privacy laws and its requirements. Privacy law may prohibit transfer of sensitive customer data to an off-shore location.

Outsourcing Contracts


Risk practitioner should consider following important aspect with respect to outsourcing contracts:

  • Outsourcing contracts should include information security requirements for the service provider. If security requirements are not covered in outsourcing contracts, it will be difficult to get the same implemented by service providers.

  • Service providers should not be allowed to subcontract the critical processes. Subcontracting increases the risk of data leakage.

  • Outsourcing contracts should have provision to access the compliance of the service provider. Compliance can be verified through internal audit or by obtaining a certificate from an independent auditor.

Compliance oriented business impact analysis


Purpose of a compliance oriented business impact analysis is to identify all the compliance related requirements applicable to the organization. These requirements are mapped with business processes and objectives.

It is the most effective method to evaluate the potential impact of legal, regulatory and contractual requirements on business objective.

Key aspects from CRISC exam perspective


CRISC Question

Possible Answer

Which process is most susceptible to the introduction of a vulnerability? 

Configuration Management

Lack of adequate controls indicates


Risk scenario is primarily used in

Threat and Vulnerability Assessment

When should the penetration test be performed?

On periodic basis and when major infrastructure related changes are made

Hackers targeting well known start-up company is known as

Emerging threat

Most important consideration for data transferred to offshore location

  • Laws and regulations (specifically privacy laws)

  • Inclusion of security controls  in the outsourcing contract

Which process helps  to evaluate legal and regulatory impact on business objectives?

Compliance oriented business impact analysis (BIA)

Development of information security policy is primary based on


Video Tutorial - 1.3 Elements of Risk

Flashcards -1.3 Elements of Risk

Practice Questions -1.3 Elements of Risk

1.3 Elements of Risk

Popular posts from this blog

1.1 Risk Capacity, Risk Appetite and Risk Tolerance

1.1   Risk Capacity, Appetite and Tolerance First step of any risk management learning is to understand following three important terms: Risk Capacity Risk Tolerance  Risk Appetite  Let us understand the difference between Risk Capacity, Risk Appetite and Risk Tolerance:   Parameter Descriptions Risk Capacity Maximum risk an organization can afford to take. Risk Tolerance Risk tolerance levels are acceptable deviations from risk appetite. They are always lower than risk capacity. Risk Appetite Amount of risk an organization is willing to take.   Let us understand this with an practical example: Mr. A’s total saving is $1000. He wants to invest in equities to earn some income. Being risk conscious, he decides to invest only up to $700.  If the markets are good he is willing to further invest  $50.  Risk Capacity: Total amount available i.e. $1000 RIsk Appetite: His willingness to take risk i.e. $700 Risk Tolerance: Acceptance deviation from risk appetite

2.7 Risk Analysis Methodologies

2.7 Risk Analysis Methodologies Risk analysis is the process of ranking of various risk so that areas of high can be prioritized for treating them.   Risk can be measured and ranked by use of any of the following methods:   Quantitative Risk Assessment Qualitative Risk Assessment Semi-quantitative Risk Assessment   Factor that influence the selection for above technique is availability of accurate data for risk assessment. When data source is accurate and reliable, organization will prefer quantitative risk assessment as it will give risk value in some numeric terms like monitory values. Monetary value is easy to evaluate to determine the risk response. Quantitative Risk Assessment In quantitative risk assessment, risk is measured on the basis on numerical values. This helps in cost benefit analysis as risk in monetary term can be easily compared to cost of various risk responses.   In quantitative risk assessment, various statistical methods are us

Welcome to first ever Web Book on CRISC (Certified Risk & Information System Control)

We welcome you to access this web book on CRISC (Certified Risk & Information System Control) by ISACA.   Features of this web book are as follow:  This web book is designed on the basis of official resources of ISACA.  Web book is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with latest CRISC Review Manual.  500 + Exam oriented practice questions.  Start your preparation here: Chapter 1   Chapter 2   Chapter 3   Chapter 4   CRISC - Recorded Lectures  We are happy to announce that CRISC lectures is now made available in Udemy in recorded form. You can access them at any time as per your convenience. You will have life time access for the recorded lectures.  Following are the salient features of the lecture: This course is designed on the basis of official resources of ISACA. Course is designed specifically for candidates from non-technical background. Topics are arranged segment wise and aligned with lates